After a summer of meetings around the world
[1], the "stakeholders"
are near agreement on how to form the new corporation that will
oversee Internet numbers and domain names. The proposal that has
risen to the top was put forward by Jon Postel, head of the current
Internet Assigned Numbers Agency. The proposed organization is being
called, for the time, the "New IANA." Here are its FAQ
[2],
articles of incorporation
[3], and the third iteration of its bylaws
[4]. Some of the salients:

The New IANA will be a nonprofit organization based in Los
Angeles.

The organization's main objectives will be to undertake
whatever is necessary to maintain the operational stability of
the Internet and to manage the allocation of new top-level
domain names.

It will be managed by a nine-member board of directors that will
notify the public of any meetings via the Internet at least
14 days in advance.

No government member can become a board member, but
governments will have input through a special advisory committee.

No more than half of the members of the board of directors can
be from one geographic region.

Directors will serve three-year terms and will receive no pay.

The New IANA must be up and running by September 30, when the US
government's contracts with IANA and the InterNIC expire. This stage
of the process aims only to form a New IANA that derives legitimacy
and authority from the support of all parts of the Internet
community worldwide. Most of the hard questions left unresolved by the US
government's white paper
[5] are still unresolved, and will be early
on the agenda for the new organization.

The Red Herring broke this story
[6] last week containing some of
the most damaging information on Microsoft's practices that I have
seen made public. The memos in question were in the hands of the FTC
when they were probing Microsoft in the early 1990s, but have only
recently come out from under seal in the Caldera lawsuit
[7]. The
story was written by reporter Wendy Goldman Rohm from research for
her book "The Microsoft File: The Secret Case Against Bill Gates"
[8]. The Wall Street Journal picked up the story
[9] (subscription
required) and tied more of the threads together, but without
crediting Rohm. (The WSJ had received a review copy of "The Microsoft
File.")

The memos are email conversations among Microsoft executives in 1991
and 1992 that discuss deliberately crippling a beta copy of Windows
3.1 so it would produce an obscure error message if run atop DR-DOS,
a competing operating system now owned by Caldera. The code to check
for the existence of DR-DOS was encrypted and obfuscated -- it was
the only encrypted code in the beta -- but was cracked by programmer
Andrew Schulman and published in Dr. Dobbs Journal in 1993 [9a]. Schulman
discovered that the code searched for tiny differences between
MS-DOS and DR-DOS, and when it found the latter it displayed an
obscure but worrying error message: "Non-fatal error detected: Error #4D53.
(Please contact Windows 3.1 Beta Support.)" The non-MS-detecting code
was dropped into 5 places in the beta Win 3.1 code and, according to
Schulman, had no possible legitimate purpose in ensuring the proper
functioning of Windows. The code was still present in three places
in the shipping Win 3.1 product, but had a single byte flipped
to disable it.

The WSJ article
[9]
ties together the code and Microsoft's
statements at the time with the executives' email memos, and with
the drop-off-a-cliff revenues for DR-DOS following the rigged
Windows 3.1 beta. Here's a quote from email sent by Microsoft Senior
VP Brad Silverberg in 1992:

"What the guy is supposed to do is feel uncomfortable and,
when he has bugs, suspect the problem is DR-DOS and then
go out to buy MS-DOS, or decide not to take the risk for
the other machines he has to buy for in the office."

Microsoft says the memos were taken out of context, that in the
Microsoft culture email is a vehicle for trying out ideas, and
that the company was merely trying to control support costs with
the non-MS-detecting software. Wherever the truth lies, this
material could sway a jury in the Caldera case (which isn't
scheduled to come to trial until next June), or in the antitrust
case, if the feds or the states choose to introduce it.

Over the last 12 years US patent examiners, lacking the
expertise and the resources to research prior art, have issued
thousands of arguably bad patents for software inventions. Owing
to the length of the application process, the mid-1990s saw the
first lapping waves of what may become a floodtide of costly
litigation over software patents. TBTF has been following this trend
since 1995
[10],
[11]. In the last week the mainstream technology
press has produced its own flood of articles on the topic of
patents and their likely impact on e-commerce. What got the hive
stirred up was a July appeals court ruling favorable to patents
on business processes
[12],
[13], which lawyers are regarding as
a landmark. News.com paints the following scenario
[14] to bring
home the impact of patents on Net business models:

You're an Internet merchant ramping up for the holiday
shopping season. Your store uses a shopping cart for buyers to
select purchases, accepts credit card payments, and offers
airline frequent flyer miles for purchases. You pay people who
click on your banner ads and send email to notify regular
customers of promotions, including a URL so they can go
directly to the right page. For close-out items, you let shoppers
name their price for an item... Call your patent attorney,
because you may be violating six e-commerce patents, all
issued since March.

Here are several companies recently granted e-commerce patents that
will be bolstered by the appeals-court ruling -- news.com lists five
more
[12]:

Priceline.com (Connecticut), for its buyer-driven, "name-your-
price" business model
[15]

NetDelivery (Colorado), for a proprietary billing and
cataloging process
[16] that it says covers all "push" technologies

UC Berkeley law professor Pamela Samuelson says, "If patents worked
for manufacturers, surely they will work for the information
economy" -- encouraging innovation instead of stifling it. I have serious
doubts.

On August 14 a Norwegian programmer discovered how to write a Java
applet that, when run, can bring down a Windows NT system. This is
not supposed to be possible, of course. Tonny Espeset
<esp2 at online dot no> accomplishes the trick by calling some Java methods
with out-of-bounds arguments (the exploit page does not give details), and on
about half of the NT systems tested the applet immediately crashes
the system right down to a white-button reboot. On some other NT
systems, running the applet corrupts system fonts and cursors; the
symptoms are cured by a reboot. I tried the applet
[19] on two NT
4.0 systems and crashed one, corrupted fonts on the other.

Perhaps stimulated by the somewhat divisive events of the past two
weeks
[20],
[21], the Linux community is rallying around the Linux
Standard Base effort. The recently announced Linux Compatibility
Standards Project
[20] has been folded into LSB, which has relaunched
with a new commitment, a new Web site
[22], and new partners. Here's
the press release
[23]. Thanks to Robert S. Thau <rst at ai dot mit dot edu>
for sending me a copy instantly upon release on 8/25, allowing TBTF
to break the news to an indifferent world.

On a more mainstream note, the issue of Forbes Magazine featuring
Linus Torvalds on the cover has hit the Web. Here's a thumbnail of
the cover
[24] and here's the story
[25].

The Web Standards Project
[26] is two weeks old and has already
garnered significant ink, and pixels, in the world's press (summary
here
[27]). The project is the effort of a group of high-profile Web
designers to shame Microsoft and Netscape into implementing
completely the standards upon which the Web is based before venturing
off into proprietary extensions
[28]. The developers of the Opera
browser
[29], which is just about the only currently viable
competition to the Netscape-Microsoft hegemony, have supported WaSP from
the first. The project's Web site is the epitome of cool: simple
design, unified feel, plenty of variety, and speedy loading. Thanks
to Julianne Chatelain for the pointer.

A programmer in Canada discovered a way to steal Hotmail users'
login IDs and passwords
[30]. The exploit uses JavaScript to rewrite,
transparently, part of HotMail's Web interface for email. When a
victim receives an email message containing the Trojan-horse
JavaScript and reads it in the HotMail account, s/he is prompted to
reenter name and password, which have supposedly expired. This
dialog looks like an official HotMail request. The name and password
are captured and emailed to the perpetrator. Here is the
discoverers' exploit page
[31]. Microsoft and HotMail were notified of the
vulnerability and worked at top speed on a fix. When they posted
what was billed as a "partial fix" (filtering out JavaScript code)
on 8/24, the exploit's discoverer quickly put up a workaround that
causes the same end result
[32]. (He hid the JavaScript code within
IMG tags.) Other Web-based free email services are also thought to
be vulnerable to this exploit. Users of such services might
consider doing without JavaScript for now.

System is provably secure against an adaptive chosen ciphertext attack

Two researchers have devised a way to secure cryptosystems against
"active" attacks
[33]. Victor Shoup of IBM Research and Ronald
Cramer of the Swiss Federal Institute of Technology revealed their
new security scheme
[34] on 8/24 at Crypto '98 in Santa Barbara.
Their new system would thwart attacks of the sort devised last
spring by Bell Labs researcher Daniel Bleichenbacher (see TBTF for
1998-07-20
[35]). The leader of an IBM team of hackers for hire said,
"This is not the sort of stuff you hold tight and patent. This is
the sort of stuff you publish ... and hope everyone adopts it
quickly."

Patrick S. Malone was driving to work with the radio on and heard
the DJ bragging about the radio station's Web site, extolling the
virtues of their ISP. The DJ made a particular point of the
advantage of using a local ISP:

"And they're right here in _____, so we have a relationship.
We can just call them up and say, 'We're about to send you a
fax with something for the Web site.'"

Thanks to Keith Bostic <nev at bostic dot com> for the forward.

Notes

Last week's TBTF title came from a song by Creedence Clearwater
Revival. Not 3 Dog Night. John Fogerty's Creedence Clearwater Revival.
I know this now. Thirty-one of you told me so. Visit last week's
issue on the Web
[36] for some amusing sidelights from this
correspondence.

I've added a new TBTF Thread[37] that may
be of interest to fans of
computational physics. It links 9 TBTF articles, from 1995 to this
year, on quantum computing and the frontiers of research into the
quantum realm.

Stakeholder is current business jargon for "someone who has an
interest." The term was popularized, or at least promulgated, in the
US government's green paper and white paper on domain naming. To
me the stakeholder is the lead guy in a vampire hunt.